Automating social engineering (ASE)

Abstract-- Automated social engineering (ASE) takes the classical social engineering attack one step further and makes it a time efficient and thus cheap attack. ASE is enabled through social networking sites (SNSs) which entail a pool of digitized personal information which make traditional social engineering approaches such as dumpster diving obsolete. We created a proof of concept ASE bot on the basis of Facebook
which is one of the biggest SNSs at the time of writing. In order to
evaluate the feasibility of ASE attacks on Facebook we conducted two
experiments on the basis of our ASE bot implementation. In the first
experiment we evaluated the information gathering functionalities of
the ASE bot on basis of five Swedish multinational corporations.
Although our application on average found more than eight possible
targets per organization, the actual number was dependent on the
organization's network size in Facebook and the privacy awareness of
their employees. In the second experiment we performed a Turing test
were twenty test subjects had to decide if they were talking to a real person
or to the ASE bot. The test subjects in generally were able to identify
the ASE bot with a high probability. Although Facebook has a number of
protective measures in place the ASE bot did not get detected or
blocked during our experiments simply because it aimed at simulating an average Facebook user.
Our results in conclusion showed that ASE bots are feasible from a
technical standpoint and that existing chatbots need to be adapted for
social networking services.